In the wake of the recently uncovered DarkHotel attack which used compromised Wi-Fi networks in Five-Star hotels to hack the traditional and mobile devices of visiting high-level executives, there’s still a lack of awareness around the risks posed by mobile devices. That’s the view of SANS Institute instructor Raul Siles, a highly respected security researcher and one of the few individuals worldwide to have earned the GIAC Security Expert (GSE) designation.
“Many organisations have deployed MDM systems and this is a good first step in the right direction, but it’s not an ‘install and forget’ situation as the environment is much more complicated than, say, Windows, OS X or Linux,” explained Siles.
Siles highlights three problem areas in the way organisations are managing the threat posed by mobile devices: “The first issue is that the threat is often underappreciated as many of these devices move between the private and work life of the user,” he stated. “This challenges organisations to think differently about how to enforce management and security policies on devices that are not under the full control of the host company.”
However, Siles also believes that some of the security enhancements embedded within many mobile device platforms such as built-in encryption, ‘sandboxed’ applications and remote management capabilities may lull organisations into overlooking some of the more pressing issues.
“The rapid pace of change within the mobile space is both a blessing and a security curse,” asserted Siles. “With roughly 1.5 million applications for both Android and iOS, the amount of applications with malicious or unexpected behaviours or even applications that contain basic vulnerabilities is growing. Many of the devices are lacking in features to effectively manage significant areas of risk.”
Lack of necessary skill sets
The researcher points to a lack of functionality to manage IPv6 and personal firewalls as two sample areas where mobile devices are particularly weak.
“Another problem is the lack of skill sets within organisations to properly secure mobile environments and deal with threats,” commented Siles. “The number of mobile devices in use at some organisations is starting to overtake fixed desktop PCs and laptops, yet budgets for mobile information security training have not kept pace. This is a major issue, although we are seeing some improvement and particularly so as example incidents such as DarkHotel and others come to light.”
Siles will be teaching the SANS SEC575: Mobile Device Security and Ethical Hacking course in London this July. “This is one of the courses that we update most frequently to match the pace of change in the mobile industry.”
The course is designed to help organisations secure their mobile devices, applications and services by equipping personnel with the knowledge to design, deploy, operate and assess a well-managed and safe mobile environment.
The six-day intensive hands-on instruction teaches attendees how to capture and evaluate mobile device network activity, analyse strengths and weaknesses on each mobile platform, disassemble and analyse mobile code, recognise weaknesses in common mobile applications and conduct full-scale mobile penetration tests.
“We are also seeing more people from development backgrounds attending the course which is a welcome development,” explained Siles. “If you look at many of the recent hacks, they will often stem from vulnerabilities in libraries that are commonly used across families of applications. If we can help developers and integrators build secure apps then we can certainly mitigate one of the areas of major risk.”
*The SANS SEC575: Mobile Device Security and Ethical Hacking course will run as part of the ‘SANS London in Summer’ event from 13-18 July at the Grand Connaught Rooms in London’s West End. The event includes ten courses with topics from across the SANS curriculum including Security Essentials, Incident Handling, Penetration Testing, Management and Forensics.
**For more information visit: http://www.sans.org/event/london-in-the-summer-2015/